The material published in this web log is for general
purposes only. It does not constitute nor is it intended to represent
professional advice. You should always seek specific professional advice in
relation to particular issues. The information in this web log is provided "as
is" with no warranties and confers no rights. The opinions expressed herein are my own personal opinions.

The NHS was not targeted. It was not singled out in any meaningful way. It just had a large number of vulnerable machines. A small number of users were likely to have been lured into opening an attachment or clicking a link in a “believable” email that is being sent to 10,000s of users around the world.

Such attacks routinely happen to organisations. Single machines are constantly being held to ransom. It is very nasty.

What is so special about this attack is once opened or clicked, the malware is looking to exploit a weakness announced two months ago in all Windows machines that allows it to propagate to all susceptible machines on an internal network.

One careless click, hundreds of machines taken out.

What is sad? Many susceptible machines could have been protected by applying routine patches.

What is bad? The remaining susceptible machines were too old to protect. They should have been replaced.

Remember: Around 100 clicks brought much of the NHS to its knees. We will probably never know how much each click cost the NHS.

I’ve just read the BBC News article that there were nearly six million fraud and cybercrime cases in the United Kingdom in 2015.

I doubt that will surprise anyone working in cybersecurity but what is surprising is how many people still seem to believe that this is something that is unlikely to affect them, is a minor issue or something from science fiction. I also find it surprising how many SME businesses are blasé about their risk exposure to cybercrime. Their take remains that they are too small for anyone to bother attacking them. The same also goes for individuals.

The reality is that they are precisely the easy, soft target that automated tools seek out.
While the BBC article was based on figures released by the Office of National Statistics (ONS), the Cyber Crime Assessment 2016 report published by the National Crime Agency (NCA) echoes the same sentiments.

I meet a lot of people through the various roles I undertake in a national context (such as being the Director General of the Institution of Analysts & Programmers, a director of the Trustworthy Software Foundation and a member of the Information Commissioner’s Technology Reference Panel). The conversations that I am currently having frequently return time and again to the growing cybersecurity threat to the national infrastructure, business of all sizes and to individual citizens. The topic has been buzzing in the security community for a while, has broken into mainstream IT and now slowly seems to be gaining traction with the wider public.

The overview of the NCA paper asserts that the “speed of criminal capability development is currently outpacing our response as a community”. It seems we are currently losing the battle against cybercrime. Business leaders, particularly in the SME sector, must respond and get to grips with the risks they face. Individuals need to come to terms with the fact that cybercrime is a major threat to them.

Mr Crossley was the owner of the law firm ACS Law, which has recently ceased trading. The firm gained widespread exposure for its aggressive pursuit of those alleged to have infringed copyright through peer-to-peer file sharing activities in recent years. It seems that many of those pursued by the firm were probably innocent and I understand that the only successful prosecutions in this matter were won by default when the defendants failed to appear in court.

In September 2010, ACS Law's web site was seriously attacked, causing it to crash. In the subsequent aftermath, a backup file containing emails between ACS Law's employees and other parties appeared on the web site, which allowed anyone to access around 6,000 people’s sensitive personal information. These emails included credit card details as well as references to people’s sex life, health and financial circumstances.

The Information Commissioner, Christopher Graham, has made it very clear that had ACS Law still been trading then the fine could have been as much as £200,000: "Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach".

I feel this fine is important because it shows that the ICO is prepared to fine SME organisations large amounts and is also prepared to pursue their owners in cases of serious breach where the owner is a sole trader.

The Information Commissioner stated that: "The security measures ACS Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details". I am often shocked about how poor security is at SME organisations. Many SME business leaders do not listen to advice about security matters. I am also afraid to say that many IT suppliers also do not care about security, preferring to close a sale at any cost. They often fail to make their customers aware of the risks they face, taking a view that it is the customer’s problem if they don't recognise or understand the issues at stake.

Worse still, many SME firms run their IT systems on a shoestring, avoiding professional advice wherever possible, and only bring in competent support when things really become dire.

It is clear that Mr Graham takes a rather dim view of this approach to managing a company's IT infrastructure. He makes it clear that "Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law's web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure." The Information Commissioner clearly believes that if you are going to use IT systems then you should do it properly and not on a shoestring.

If anything, this fine also highlights the importance of taking proper advice and may presage a greater use of Chartered IT Professionals.

The message must be that if you use IT in your business (whatever your firm's size), you must take proper advice, you must not try to cut corners and you must not treat IT security in a cavalier fashion.

I was interested in what Sir Christopher Meyer (HM Ambassador to the United States between 1997 and 2003) had to say about WikiLeaks on BBC Question Time last night.

I understand from what he was saying that the United States created a massive ‘intranet’ to share intelligence from around the world between their agencies as part of their response to 11th September 2001 attacks. They wanted a clearer picture of the emerging threats to the United States.

He suggests that over two and half million people have access to this ‘intranet’ and implies that leaks were inevitable.

I feel that there is an important lesson here for any government or commercial enterprise that tries to build massive databases. The more people who have access, the more likely there is to be a leak.

I find it worrying that the Information Commissioner’s Office (ICO) reports that the NHS is the United Kingdom’s worst offender in terms of keeping personal data, especially in light of the Patient Summary Care Record scheme, which will eventually hold details from most people’s medical records.

The question for me is simple: Can they be trusted to look after computerised medical records?

According to a spreadsheet accompanying the ICO’s press release of 28th May 2010, the NHS has reported more breaches than any other body to date. The data shows that these losses have largely been through either lost or stolen data/hardware rather than insecure disposal or accidental disclosure.

I agree absolutely with David Smith, the Deputy Commissioner, who said: “The ICO maintains it is essential that the protection of people’s personal information is part of organisations’ culture and DNA.”

However, the issue of data protection is clearly wider in scope than our trust in the NHS’ ability to keep our data secure.

The press release actually marks the 1,000th breach reported to the ICO, with the actual number now standing at 1,007. A rough calculation suggests that between one-in-two and one-in-three people in the United Kingdom have had their personal data compromised.

However, the data shows that the second largest offender collectively is the private sector, which doesn’t surprise me. Worse still, I suspect that most private sector breaches probably go unreported, so this figure might be the tip of the iceberg.

The ICO is keen to remind organisations that it can now levy fines of up to £500,000 per breach.

If you would like to know more about the new powers the Information Commissioner acquired in April 2010 and what the outcome might be should you be reckless with personal data then you might like to read my recent blog on data protection!

I welcome the two IT related bills in the Queen’s Speech.
The Freedom (Great Repeal) Bill will limit the amount of time that the DNA profiles of innocent people in England and Wales can be held on the national database and will adopt the Scottish model. This seems to be much more proportionate than holding a blanket database of everyone’s DNA, which was where we seemed to be heading at one point. I believe that this would have led to all sorts of problems in the future. I think that this bill now strikes the right balance between bring criminals to justice and ensuring the privacy and freedom of innocent people.

I imagine that 21st April 2010 will be a day that McAfee will remember for sometime to come and probably one they would much prefer to forget!

The antivirus vendor issued its daily security update DAT5958 at 06:00 PDT (GMT-7), but by 13:00 BST (GMT+1) the update was wreaking havoc on many corporate networks in the United Kingdom, let alone the rest of the world!

McAfee acted fairly quickly by pulling the affected virus definition file (DAT5958) from their download servers, preventing more customers from becoming involved in what must be one of the worst update issues to impact corporate networks for some time.

They released DAT5959 to replace the affected virus definition file at around 10:15 PDT (GMT-7).

This incident comes on the back of reports that many modern anti-virus products are failing to detect malware. I’ve just been reviewing Cyveillance’s February 2010 Cyber Intelligence Report, which suggests McAfee detects around 37% of emerging threats on a daily basis (based on data from the last half of 2009). Kaspersky came out on top with a daily detection rate of 38%, but many were much poorer - such as Symantec on 25%.

The time for relying on straight-forward anti-virus products seems to be coming to an end…